5

I spent many days and nights trying to find a proper Java framework that could connect to Microsoft Dynamics CRM which uses Negotiate/NTLM authentication. I tried all existing suggestions on Stackoverflow and other resources with JAX-WS, Axis2, CXF with various HTTP protocol handlers. No one of them worked as expected. The best approach currently is Axis2/commons-httpclient-3.1, where I can trace at least all three phases with NTLM digest, however the target IIS still refuses the authentication with 401 Unauthorized. Apache CXF — both with a built-in Java6 NTLM support and jCIFS, which some people suggested as a remedy, didn't work either as the former fails on the second 401 response (while it should have been send the third request, according to the protocol) and the latter one attempts to read the response code from an empty input stream and fails.

So, the question is whether anybody has succeeded to master an NTLM-protected SOAP web service from the Java 6 platform?

skaffman
  • 398,947
  • 96
  • 818
  • 769
Jiří Vypědřík
  • 1,324
  • 12
  • 24
  • Check around: Kerberos profile support should be in CXF (see [`KerberosTokenPolicyValidator`](http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java?view=markup&pathrev=1149227)). Otherwise check [wss4j-kerberos](http://wss4j-kerberos.svn.sourceforge.net/viewvc/wss4j-kerberos/trunk/src/org/apache/ws/security/processor/KerberosTicketProcessor.java?revision=HEAD&view=markup) project. – dma_k Oct 21 '11 at 13:22
  • Hi! Have you solved it? – Ignacio Ocampo Dec 11 '14 at 06:23
  • Yes. See http://stackoverflow.com/a/7274388/802831 – Jiří Vypědřík Dec 24 '14 at 16:13

2 Answers2

1

I was hoping somebody else would chime in, as my knowledge of this area is several years old now and perhaps not the best advice - in particular, I've only worked with commons-httpclient 3 and none of the newer packages that promise to do NTLM/NTLMv2 correctly.

As you've probably noticed, commons-httpclient 3's NTLM authentication code supports only NTLM, not the newer NTLMv2 protocol. My solution to this problem was to use commons-httpclient 3 and replace the NTLM authentication code with an NTLMv2 capable solution. Fortunately, the NTLMv2 specification is published by Microsoft. It's honestly not terrible difficult to implement but of course it's now something you have to maintain yourself which may not be desirable for a number of reasons.

Edward Thomson
  • 74,857
  • 14
  • 158
  • 187
0

I forgot so say that I did find a solution myself. The clue is to replace the standard Java protocol stack with Jespa+jCIFS and make some minor patch to work it with JAX-WS.

Jiří Vypědřík
  • 1,324
  • 12
  • 24